| Anonymous | Login | Signup for a new account | 2013-05-21 04:01 EDT |  |
| Main | My View | View Issues | Change Log | Roadmap | Wiki | ManTweet | Repositories |
| View Issue Details [ Jump to Notes ] [ Wiki ] [ Related Changesets ] | [ Issue History ] [ Print ] | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
| 0011084 | mantisbt | authentication | public | 2009-10-27 03:59 | 2013-05-16 07:55 | ||||||||
| Reporter | SUZ | ||||||||||||
| Assigned To | |||||||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||||||
| Status | acknowledged | Resolution | fixed | ||||||||||
| Platform | OS | OS Version | |||||||||||
| Product Version | 1.1.8 | ||||||||||||
| Target Version | Fixed in Version | ||||||||||||
| Summary | 0011084: Login Dialog keeps popping up when using HTTP_AUTH | ||||||||||||
| Description | Using HTTP_AUTH to enable users to login with their System-Password doesn't work. The function auth_does_password_match doesn't handle HTTP_AUTH and therefor one cannot log in. Instead the Login Dialog keeps popping up. | ||||||||||||
| Tags | No tags attached. | ||||||||||||
| Attached Files | |||||||||||||
 Relationships |
 Notes |
|
 (0036858)gerald2545 (reporter) 2013-05-14 16:39 |
problem still present in v 1.2.15. can be solved by adding the lines in bold in the file core/authentication_api.php function auth_does_password_match( $p_user_id, $p_test_password ) { $t_configured_login_method = config_get( 'login_method' ); if( HTTP_AUTH == $t_configured_login_method ) { return true ; } if( LDAP == $t_configured_login_method ) { return ldap_authenticate( $p_user_id, $p_test_password ); } |
 (0036867)grangeway (developer) 2013-05-15 16:55 |
This isn't actually the correct fix for this issue - HTTP_AUTH was designed for situation where username+password were set in server headers - therefore adding a bypass here introduces a security risk. |
 (0036868)dregad (developer) 2013-05-15 19:01 |
Ok, I'll revert the commit. Thx for your input. |
|
(0036872) gerald2545 (reporter) 2013-05-16 06:04 edited on: 2013-05-16 07:55 |
I did some tests Config : Mantis 1.2.15 running in apache 2.2.3 on red hat 5.3, $g_login_method = HTTP_AUTH in config_inc.php case 1, mantis source 1.2.15 without changes : if no username+password are set in server headers (e.g. no apache authentication method set on the Mantis directory, i.e. Allow From all) then, Mantis asks the user for credentials (auth_http_prompt() in login.php) if no passwords are stored in the mantis database : Mantis keeps on asking the users for credentials else if passwords are stored in the database encrypted with MD5, you can access Mantis UI, but Mantis replace the password in the database in plain text (!!) so that you won't be able to log in the next time case 2, mantis source 1.2.15 without changes : if username+password are set in server headers (e.g. apache authentication method set on the Mantis directory , i.e. AuthType/AuthName/Require/Satisfy) then, if user give wrong credentials (i.e. apache can't authenticate the user), apache keeps on asking the user for good credentials else Mantis asks the user for credentials too (auth_http_prompt() in login.php) which we don't want as apache already authenticate the user case 3, mantis source 1.2.15 with changes in note 0011084:0036858 : if no username+password are set in server headers (e.g. no apache authentication method set on the Mantis directory, i.e. Allow From all) then, Mantis asks the user for credentials(auth_http_prompt() in login.php) if no passwords are stored in the mantis database, or stored in plain text : Mantis keeps on asking the users for credentials else if passwords are stored in the database encrypted with MD5, you can access Mantis UI and the password is not altered so that you will be able to log in the next time case 4, mantis source 1.2.15 with changes in note 0011084:0036858 : if username+password are set in server headers (e.g. apache authentication method set on the Mantis directory, i.e. AuthType/AuthName/Require/Satisfy) then, if user give wrong credentials (i.e. apache can't authenticate the user), apache keeps on asking the user for good credentials else user can access Mantis UI and the password in database is not altered I conclude that if the login method is set to HTTP_AUTH and you don't configure your web server to ask the user for credentials, Mantis is protected as it tries to authenticate the user against the database. I don't understand where the security risk is. Am I right? Gerald |
|
Notes |
| Related Changesets |
|||
|
MantisBT: master-1.2.x 4775bff7
Timestamp: 2013-05-15 05:50:49 Author: dregad [ Details ] [ Diff ] |
Do not display login dialog when using HTTP_AUTH Fixes 0011084 |
||
| mod - core/authentication_api.php | [ Diff ] [ File ] | ||
|
MantisBT: master 90633ab8
Timestamp: 2013-05-15 05:50:49 Author: dregad [ Details ] [ Diff ] |
Do not display login dialog when using HTTP_AUTH Fixes 0011084 |
||
| mod - core/authentication_api.php | [ Diff ] [ File ] | ||
| Related Changesets |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2009-10-27 03:59 | SUZ | New Issue | |
| 2013-05-14 16:39 | gerald2545 | Note Added: 0036858 | |
| 2013-05-14 16:52 | atrol | Relationship added | related to 0012458 |
| 2013-05-15 05:59 | dregad | Changeset attached | => MantisBT master-1.2.x 4775bff7 |
| 2013-05-15 05:59 | dregad | Assigned To | => dregad |
| 2013-05-15 05:59 | dregad | Status | new => resolved |
| 2013-05-15 05:59 | dregad | Resolution | open => fixed |
| 2013-05-15 05:59 | dregad | Fixed in Version | => 1.2.x |
| 2013-05-15 05:59 | dregad | Changeset attached | => MantisBT master 90633ab8 |
| 2013-05-15 05:59 | dregad | Target Version | => 1.2.x |
| 2013-05-15 16:54 | grangeway | Status | resolved => new |
| 2013-05-15 16:55 | grangeway | Note Added: 0036867 | |
| 2013-05-15 19:01 | dregad | Note Added: 0036868 | |
| 2013-05-15 19:02 | dregad | Assigned To | dregad => |
| 2013-05-15 19:02 | dregad | Status | new => acknowledged |
| 2013-05-15 19:02 | dregad | Fixed in Version | 1.2.x => |
| 2013-05-15 19:02 | dregad | Target Version | 1.2.x => |
| 2013-05-16 06:04 | gerald2545 | Note Added: 0036872 | |
| 2013-05-16 07:55 | gerald2545 | Note Edited: 0036872 | View Revisions |
|
Issue History |
| MantisBT 1.2.16dev master-1.2.x-8c2bd07 [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1100 seconds. memory usage: 2,830 KB |
|